summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDarren Tucker <dtucker@zip.com.au>2014-06-17 23:06:07 +1000
committerDarren Tucker <dtucker@zip.com.au>2014-06-17 23:06:07 +1000
commit316fac6f18f87262a315c79bcf68b9f92c9337e4 (patch)
tree4ca56b926c75d844cf69b33461be32ae178e62e7
parentaf665bb7b092a59104db1e65577851cf35b86e32 (diff)
- (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}] Move the OpenSSL header/library version test into its own function and add tests for it. Fix it to allow fix version upgrades (but not downgrades). Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150). ok djm@ chl@
-rw-r--r--ChangeLog8
-rw-r--r--entropy.c11
-rw-r--r--openbsd-compat/openssl-compat.c37
-rw-r--r--openbsd-compat/openssl-compat.h4
-rw-r--r--openbsd-compat/regress/.cvsignore3
-rw-r--r--openbsd-compat/regress/Makefile.in6
-rw-r--r--openbsd-compat/regress/opensslvertest.c69
7 files changed, 122 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index b8b3c0158..f7c5b1297 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
120140617
2 - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
3 openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
4 Move the OpenSSL header/library version test into its own function and add
5 tests for it. Fix it to allow fix version upgrades (but not downgrades).
6 Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
7 ok djm@ chl@
8
120140616 920140616
2 - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via 10 - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR. From rak at debian via
3 OpenSMTPD and chl@ 11 OpenSMTPD and chl@
diff --git a/entropy.c b/entropy.c
index 2d483b391..e1a8e142b 100644
--- a/entropy.c
+++ b/entropy.c
@@ -209,16 +209,7 @@ seed_rng(void)
209#ifndef OPENSSL_PRNG_ONLY 209#ifndef OPENSSL_PRNG_ONLY
210 unsigned char buf[RANDOM_SEED_SIZE]; 210 unsigned char buf[RANDOM_SEED_SIZE];
211#endif 211#endif
212 /* 212 if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
213 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
214 * We match major, minor, fix and status (not patch) for <1.0.0.
215 * After that, we acceptable compatible fix versions (so we
216 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
217 * within a patch series.
218 */
219 u_long version_mask = SSLeay() >= 0x1000000f ? ~0xffff0L : ~0xff0L;
220 if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
221 (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
222 fatal("OpenSSL version mismatch. Built against %lx, you " 213 fatal("OpenSSL version mismatch. Built against %lx, you "
223 "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); 214 "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
224 215
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 885c121f2..0e5f2cea5 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ 1/* $Id: openssl-compat.c,v 1.18 2014/06/17 13:06:08 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -35,6 +35,41 @@
35#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS 35#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
36#include "openssl-compat.h" 36#include "openssl-compat.h"
37 37
38/*
39 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
40 * We match major, minor, fix and status (not patch) for <1.0.0.
41 * After that, we acceptable compatible fix versions (so we
42 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
43 * within a patch series.
44 */
45
46int
47ssh_compatible_openssl(long headerver, long libver)
48{
49 long mask, hfix, lfix;
50
51 /* exact match is always OK */
52 if (headerver == libver)
53 return 1;
54
55 /* for versions < 1.0.0, major,minor,fix,status must match */
56 if (headerver < 0x1000000f) {
57 mask = 0xfffff00fL; /* major,minor,fix,status */
58 return (headerver & mask) == (libver & mask);
59 }
60
61 /*
62 * For versions >= 1.0.0, major,minor,status must match and library
63 * fix version must be equal to or newer than the header.
64 */
65 mask = 0xfff0000fL; /* major,minor,status */
66 hfix = (headerver & 0x000ff000) >> 12;
67 lfix = (libver & 0x000ff000) >> 12;
68 if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
69 return 1;
70 return 0;
71}
72
38#ifdef SSH_OLD_EVP 73#ifdef SSH_OLD_EVP
39int 74int
40ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, 75ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 276b9706d..199dcc882 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.27 2014/06/17 13:06:08 dtucker Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -22,6 +22,8 @@
22#include <openssl/rsa.h> 22#include <openssl/rsa.h>
23#include <openssl/dsa.h> 23#include <openssl/dsa.h>
24 24
25int ssh_compatible_openssl(long, long);
26
25/* Only in 0.9.8 */ 27/* Only in 0.9.8 */
26#ifndef OPENSSL_DSA_MAX_MODULUS_BITS 28#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
27# define OPENSSL_DSA_MAX_MODULUS_BITS 10000 29# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
diff --git a/openbsd-compat/regress/.cvsignore b/openbsd-compat/regress/.cvsignore
index afbf7cc3f..33074f4a3 100644
--- a/openbsd-compat/regress/.cvsignore
+++ b/openbsd-compat/regress/.cvsignore
@@ -2,4 +2,5 @@ Makefile
2snprintftest 2snprintftest
3strduptest 3strduptest
4strtonumtest 4strtonumtest
5 5closefromtest
6opensslvertest
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
index bcf214bd0..dabdb0912 100644
--- a/openbsd-compat/regress/Makefile.in
+++ b/openbsd-compat/regress/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ 1# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,11 +16,11 @@ LIBS=@LIBS@
16LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) 16LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
17 17
18TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ 18TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
19 strtonumtest$(EXEEXT) 19 strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
20 20
21all: t-exec ${OTHERTESTS} 21all: t-exec ${OTHERTESTS}
22 22
23%$(EXEEXT): %.c 23%$(EXEEXT): %.c $(LIBCOMPAT)
24 $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) 24 $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
25 25
26t-exec: $(TESTPROGS) 26t-exec: $(TESTPROGS)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
new file mode 100644
index 000000000..5d019b598
--- /dev/null
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -0,0 +1,69 @@
1/*
2 * Copyright (c) 2014 Darren Tucker
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include <stdio.h>
18#include <stdlib.h>
19
20int ssh_compatible_openssl(long, long);
21
22struct version_test {
23 long headerver;
24 long libver;
25 int result;
26} version_tests[] = {
27 /* built with 0.9.8b release headers */
28 { 0x0090802fL, 0x0090802fL, 1}, /* exact match */
29 { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
30 { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
31 { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
32 { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
33 { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
34 { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
35
36 /* built with 1.0.1b release headers */
37 { 0x1000101fL, 0x1000101fL, 1},/* exact match */
38 { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
39 { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
40 { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
41 { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
42 { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
43 { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
44 { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
45};
46
47void
48fail(long hver, long lver, int result)
49{
50 fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result);
51 exit(1);
52}
53
54int
55main(void)
56{
57 unsigned int i;
58 int res;
59 long hver, lver;
60
61 for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) {
62 hver = version_tests[i].headerver;
63 lver = version_tests[i].libver;
64 res = version_tests[i].result;
65 if (ssh_compatible_openssl(hver, lver) != res)
66 fail(hver, lver, res);
67 }
68 exit(0);
69}